Marina Krotofil
Round Table on Cybersecurity Best Practices for Users of Radioactive Sources,Vienna, Austria, 10.09.2019
Understanding Cyber Threats
and Associated Risks for
Radioactive Sources
About myself
• Senior Security Engineer at the large chemical company – defender role
• Specializing in offensive cyber-physical security in Critical Infrastructures
o Focus: Physical damage or how to make something going bad, crash or blow up by means of cyber-attacks
My only experience with nuclear field
0 1000 2000 3000 4000 5000 6000 70008.9
9
9.1
9.2
9.3
9.4
9.5
0 1000 2000 3000 4000 5000 6000 70008.9
9
9.1
9.2
9.3
9.4
9.5
0 20 40 60 728.8
9
9.2
9.4
9.6
9.8A and C feed
Hours
kscm
h
0 20 40 60 72
8.8
9
9.2
9.4
9.6
9.8A and C feed
Hours
kscm
h
M. Krotofil, J. Larsen, D. Gollmann. The Process Matters: Ensuring Data Veracity in Cyber-Physical Systems (ASIACCS, 2015)
spoofed
In this presentation
• Evolvement: Threat actors and their motivation
• Current trends: Cyber threat landscape
• Product security: Worrisome State-of-the-Art
Threat actors evolvement
Modernization of the nuclear industry
https://www.nti.org/analysis/tools/table/133/
https://www.popularmechanics.com/technology/infrastructure/a28912471/digital-nuclear-reactor/
(Cyber)Terrorists
• Aim at dramatic effect (Godzilla effect)
• Previously did not showcase strong
technical or cyber capabilities
• Currently: actively recruiting members
with engineering and cyber
background/skills
htt
p:/
/se
cu
rity
affa
irs.c
o/w
ord
pre
ss/w
p-c
on
ten
t/u
plo
ad
s/2
01
6/0
6/isis
-
ha
cke
rs-c
alip
ha
te-c
yb
er-
arm
y-c
ca
.jp
g
(Cyber) Criminals
• (May) use cyber attacks to support criminal activities
− E.g., stealing/smuggling nuclear materials
• Discovered ways to monetize attacks in infrastructures
with critical uptime/availability requirements
− Extortion attacks (ransomware)
• Participating in the market as a resource for hiring
− Hackers for hiring
− Hacking tools for sale
www.europol.europa.eu/sites/default/files/documents/cyberbits_04_ocean13.pdf
State-sponsored threat actors
• The build-up of capabilities keep accelerating
− Leaked NSA catalogue of cyber tools
• Strategic operations to support long-term
objectives
− E.g. espionage, persistence
• Hacking to support national economy
− E.g., discredit competitor products or
subvert production lines
https://www.aclu.org/files/natsec/nsa/20140130/NSA%27s%20Spy%20Catalogue.pdf
Recent high-profile attacks
Hackers Targeted 600 MAC Addresses, 2019
Over 500.000 affected devices
(over 10 brands & 70 models),
2018Hackers targeted specific records of 20
individuals, 2019
Lagging behind threat actors are catching-up
https://threatpost.com/chinas-apt3-pilfers-cyberweapons-nsa/148086/
Threat actors with special previliges
https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
“Defense-in-Depth” in perimeter security
• Sensitive and confidential documentation is readily available
− Unprotected repositories
− Public sources, e.g. Virus Total, Scribd, etc.
− Purposely leaked data and documentation
https://www.reuters.com/article/us-nuclear-southkorea-northkorea-idUSKBN0MD0GR20150317
Accessibility of proprietary information
Sensitive documentation on Internet
• One no longer need rich and legal buyer to obtain equipment
− Can be purchased on e-commerse platforms
− Firmware available on GitHub
− Even source code can be obtained
Easily obtainable hardware & software
Hardware and software for purchase
Source code
Current trends in cyber threats landscape
Targeted ransomware
https://www.zdnet.com/article/norsk-hydro-ransomware-incident-losses-reach-40-million-after-one-week/
Cryptomining farms in isolated facilities
https://www.coindesk.com/russian-scientists-arrested-crypto-mining-nuclear-lab
https://www.wired.com/story/nuclear-plant-
cryptomining-bec-scam-xbox-security-roundup/
Matured zero day & offesive tools market
https://i.blackhat.com/USA-19/Wednesday/us-19-Shwartz-Selling-0-Days-To-Governments-And-Offensive-Security-Companies.pdf
Main trend in offensive security
Race-to-the-Bottom in e-commerce
http://isyou.info/jowua/papers/jowua-v3n12-1.pdf
Business
processes
secure by design
Currently threat models
assumes that the e-commerce
application is “taken” by
attacker
BIOS rootkits
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
Brief history of cyber-physical attacks25
20172015 2016
Ukraine
power grid
attack
(Industroyer)
Ukraine power
grid attack
(BlackEnergy)
TRITON
It’s happening: Publicly
known cyber-physical attacks
Planned
operation to
hinder Iran’s
nuclear program
(Stuxnet)
First publicly
known OT
recon activities
(HAVEX)
Reconnaissance and weaponization of
capabilities
1999 2010 2013
First active recon
& initial intrusion
attempts
Successful cyber-
physical experiments
htt
ps:/
/qp
h.f
s.q
uo
racd
n.n
et/
main
-qim
g-f
741
c6
e5
db3
2b
87
f282
e5
44
48
a21
29
ce
Purdue network reference architecture
Physical process
OT network
IT network
Level 1
Level 0
Level 2
Level 3
Level 4
Race-to-the-Bottom when placing exploits
Physical process
OT network
IT network
Level 1
Level 0
Level 2
Level 3
Level 4
TRITON
(2017)
Industroyer
(2016)
BlackEnergy
(2015)
TRITON implant
Triton
Firmware
Control logic
Human operator
Triconex
“Your wish is my
command”
TRICONEX: Safety Integrity Level (SIL3)29
http://iom.invensys.com/EN/pdfLibrary/Datasheet_Triconex_TriconSIL3_06-11.pdf
Triconex in nuclear field30
Multidisciplinary attack teams
• Origin of one of the attacks attack was
narrowed down to Central Scientific
Research Institute of Chemistry and
Mechanics
• Unusual/novel modus operandi for
offensive operations
https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-
owned-lab-most-likely-built-tools.html
Current cyber operations in ICS domain
Espionage, PERSISTENSE,
Reconnaisance
https://www.us-cert.gov/ncas/alerts/TA18-074A
https://www.ncsc.gov.uk/news/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
Intrusion via trusted third-parties
Trusted third-parties:
subcontractors,
service providers, etc.
Supply chain compromise (big problem!)
https://fcw.com/articles/2018/04/23/china-supply-chain-cyber.aspx
https://theintercept.com/2019/01/24/computer-supply-chain-attacks/
https://www.wired.com/story/supply-chain-hacks-cybersecurity-worst-case-scenario/
Compromised security controls
• Stolen certificates to sign malware and compromised software
• Compromised malware protection companies
− Whitelisting service providers
− Antivirus companies
• Compromised software and firmware updates
https://arstechnica.com/information-technology/2019/05/hackers-breached-3-us-antivirus-companies-researchers-reveal/
Contractor threat
https://udf.by/news/economic/196974-biznes-po-kitajski-stala-izvestna-prichina-rastorzhenija-kontrakta-po-svetlogorskomu-ckk.html
Product security
Urgent need for stricter requirements
(In)security of Radiation Monitoring Devices
https://www.blackhat.com/docs/us-17/wednesday/us-17-Santamarta-Go-Nuclear-Breaking%20Radition-Monitoring-Devices-wp.pdf
https://www.wired.com/story/radioactivity-sensor-hacks/
https://www.bleepingcomputer.com/news/security/three-vendors-decline-to-patch-vulnerabilities-in-nuclear-radiation-monitors/
http
://ww
w.in
sp
ectio
n-k
its.c
om
/Up
loa
dF
ile/la
rge
//20
12
04
29
/Wire
less-R
em
ote
-Mo
nito
ring
-Syste
m-1
.jpg
Insecure medical equipment
https://www.securityweek.com/serious-vulnerabilities-found-fujifilm-x-ray-devices
https://www.forbes.com/sites/thomasbrewster/2018/04/23/x-ray-machines-taken-over-by-healthcare-hackers
Hardware backdoors in equipment
No place to hide
https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/
NSA intercepting Cisco router shipments and installing implants
Embedded systems security is very poor
https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-Dissecting-QNX.pdf
https://www.darkreading.com/vulnerabilities---
threats/siemens-s7-plcs-share-same-crypto-key-
pair-researchers-find-/d/d-id/1335452
Product compromise via supply chain
Industrial transmitter
Layers of standardized
electronics (for a
individual vendors)
• Supply-chain attacks
‒ Allows to bypass multiple levels of security
‒ Better scaling of attack efforts
Concluding remarks
Some takeaways
• Accelerated build-up of advanced cyber/cyber-physical
capabilities
• Race-to-the-Bottom and supply chain security
• Compromise of security controls/mechanisms
Marina Krotofil@[email protected]
Thank you